If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Possible attack, I don't know what to do.

After clicking a link to a web that I trust 100% (website removed) two small IE8 windows have appeared, the smaller hidden by the larger. Both appear in the taskbar with the IE icon and the title "System scanner - Windows Internet Explorer" (Vista shows the title and a small picture of the window as normal).

The larger and visible one doesn't look like an IE window, rather it looks like a Windows message. Its title is "Mensaje de página web" (this is Spanish, it means "Web page message"), the canvas has a yellow "!" triangle, the text "Warning! Your computer is at risk of malware attacks. We recommend you to check your system inmediately. Press OK to start the process now..." (this text goes in English), and a button "Aceptar" (Spanish this time, it means "OK"). It also has a "x" button to close it, no minimize or maximize ones.

Dragging the described window apart you can see the smaller window. This one looks like a real IE8 one but very small, and it's not resizable or movable. In the title bar you can read "System scanner - Wi..." at the left of the buttons to minimize, maximize and close. It has the left side of the upper IE8 bars but it's too small to have canvas.

Is this an attack or a legitimate Windows prompt? Is it wise to close the larger window (the one with the "Aceptar" (OK) button) with the "x" button in the upper right corner and perform a virus scan with ZAISS?

Last edited by Greb49er; April 20th, 2011 at 07:17 AM.
Reason: removed website

Re: Scareware, fake av attack, I don't know what to do.

As soon as you see the first "fake scanning" image - you...

Generallyshould notclick any link/ button from the pop-up's/ "Warning..."/ "Alert..." boxes not even the (red)" X"/ Close button" to normally shut it off (sometimes that X button = their false link to download more malware which is not what you want).

And of course don't buy the rogue scareware you can remove the real infection which 'is the rogue/ scareware itself' and it's scare tactics( fake pop-up's and fake infections) .

When you are using ZoneAlarm Extreme Suite or a stand-alone ForceField the first fake pop-up scan/ scareware will be eliminated and not affect your 'real' pc after you 'clear virtual data'/ close out that browser(s).

or

- press hold/ keys > 'Alt' and 'F4' keys (F4 = single key usually at the top of keyboard) or 'Ctrl' and 'F4' keys

The site you visited was hacked with malware; do not go there again until they clean it up (even on once 'trusted' sites - they can be hacked). Some of my tools says it's clean, but one tool 'red flag' with malware. Click here -> http://sitecheck.sucuri.net/scanner/...ragereview.com

Update: 4-20-11 ~ 11:15pm - it appears 'SR.com' has cleaned up it's site. Rescans show clean. Nevertheless, user -factor - will have to clean up his pc.
__________________________________________________ ________

Attention: Gurus/ FM - please edit out the website name from op's post - as others may get too curious and follow to a bad site. (stor...age.view.com)

Re: Possible attack, I don't know what to do.

**** is about all I can say right now. Sometime yesterday our site (SR.com) got nailed with that code. We are still investigating how it got in and are in the process of cleaning everything out. First thought was through Google Ads, then with those disabled it was still coming through, until we saw it embedded at the bottom of the page source in IE.

So far from what we can tell it will only load while using IE (including IE9). FireFox, Chrome, Safari, etc are all playing it cool. Assuming none of the redirect or download file prompts are clicked there is no virus or malware detected on a local machine if you can kill the IE processes.

I will update the progress of our site admins as the code is gone through and cleaned out.

Re: Possible attack, I don't know what to do.

Originally Posted by dietcokefiend

**** is about all I can say right now. Sometime yesterday our site (SR.com) got nailed with that code. We are still investigating how it got in and are in the process of cleaning everything out. First thought was through Google Ads, then with those disabled it was still coming through, until we saw it embedded at the bottom of the page source in IE.

So far from what we can tell it will only load while using IE (including IE9). FireFox, Chrome, Safari, etc are all playing it cool. Assuming none of the redirect or download file prompts are clicked there is no virus or malware detected on a local machine if you can kill the IE processes.

I will update the progress of our site admins as the code is gone through and cleaned out.

Welcome to the Zone Alarm User Forum..

This Forum exist to allow Volunteer experienced Zone Alarm Users to help the Few Users who encounter a problem with ZoneAlarm and need to be guided in the right direction..

Re: Possible attack, I don't know what to do.

Well I killed IE8 with the task manager and launched a full virus scan that reported no infections.

To dietcokefiend: if it helps I followed the ocz_vertex_2_25nm_review_oczssd22vtxe60g link. I was able to read text for maybe seconds and see the pics. I'm nearly sure that I didn't click anything but maybe I passed the mouse over whatever. The page window disappeared when all happened, but two other IE8 windows stuck.

Re: Possible attack, I don't know what to do.

Well it took about a day or so after the attack, and maybe 5 hours after it was found to fix the malware injection and patch the breach. From talking with our IT guy it was an exploit coming through our forums avatar upload feature. Everything is back in order (thankfully) and as long as nothing was downloaded by the prompts pushing those nasty executables, no harm should have been done to visitors computers.